NAT Traversal for VoIP Dr. Quincy Wu National Chi Nan University Email: solomon@ipv6.club.tw.tw 1 TAC2000/2000
NAT Traversal Where is NAT What is NAT Types of NAT NAT Problems NAT Solutions Program Download 2 TAC2000/2000
NTP VoIP Platform LABORATORY 117 W LAN Gateway Call Server Media Gateway Station Interface NCTU PBX Trunk Interface Phone 03-5912312 W LAN User WLAN AP Station Interface 03-5712121 Campus Network Hsinchu Edge Route TANet SIP Phone 0944021026 SIP Phone SIP Phone 0944021021 0944021022 Phone 31842 Phone 31924 Phone 31340 Phone 31350 PSTN Edge Route Call Server Media Gateway Station Interface PU PBX 04-26328001 Trunk Interface Taichung Adm in C onsole Campus Network Station Interface Phone 04-22251133 SIP Phone 0944021401 SIP Phone 0944021402 Phone 13411 Phone 13404 Phone 13419 Phone 13429 3 TAC2000/2000
What is NAT NAT - Network Address Translation RFC 3022 - Traditional IP Network Address Translator (Traditional NAT) RFC 1918 - Address Allocation for Private Internets (BCP 5) RFC 2993 - Architectural Implications of NAT RFC 3027 - Protocol Complications with the IP Network Address Translator RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines Convert Network Address (and Port) between private and public realm Works on IP layer Transparent for Application 4 TAC2000/2000
NAT Schematic Computer A IP: 10.0.0.1 Port: 80 NAT IP: 202.123.211.25 Port: 10080 Public Internet Computer B IP: 10.0.0.2 Port: 80 IP: 202.123.211.25 Port: 20080 Public NIC DHCP Client PPPoE Client DHCP Server Mapping Table 10.0.0.1:80 <-> 10080 10.0.0.2:80 <-> 20080 Private NIC 5 TAC2000/2000
Full Cone Restricted Cone Port Restricted Cone Symmetric Types of NAT 6 TAC2000/2000
Full Cone NAT Client send a packet to public address A. NAT allocate a public port (12345) for private port (21) on the client. Any incoming packet (from A or B) to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 Mapping Table 10.0.0.1:21 <-> 12345 NAT IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 7 TAC2000/2000
Restricted Cone NAT (1/2) Client send a packet to public address A. NAT allocate a public port (12345) for private port (21) on the client. Only incoming packet from A to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT Mapping Table 10.0.0.1:21 <-> 12345 (for A) IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 8 TAC2000/2000
Restricted Cone NAT (2/2) Client send another packet to public address B. NAT will reuse allocated public port (12345) for private port (21) on the client. Incoming packet from B to public port (12345) will now dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT Mapping Table 10.0.0.1:21 <-> 12345 (for A) 10.0.0.1:21 <-> 12345 (for B) IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 9 TAC2000/2000
Port Restricted Cone NAT Client send a packet to public address A port 20202. NAT will allocate a public port (12345) for private port (21) on the client. Only incoming packet from address A and port 20202 to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Computer A IP: 222.111.99.1 Port: 20202 Port: 30303 Mapping Table 10.0.0.1:21 <-> 12345 (for A : 20202) 10.0.0.1:21 <-> 12345 (for A : 30303) 10 TAC2000/2000
Symmetric NAT NAT allocate a public port each time the client send a packet to different public address and port Only incoming packet from the original mapped public address and port will dispatch to private port on client Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 IP: 202.123.211.25 Port: 45678 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 Mapping Table 10.0.0.1:21 <-> 12345 (for A : 20202) 10.0.0.1:21 <-> 45678 ( for B : 10101) 11 TAC2000/2000
VoIP Protocol and NAT NAT convert IP addresses on IP layer Problem 1: SIP, H.323, Megaco and MGCP are application layer protocol but contain IP address/port info in messages, which is not translated by NAT Problem 2: Private client must send a outgoing packet first (to create a mapping on NAT) to receive incoming packet 12 TAC2000/2000
Lab Environment UA1: UA behind NAT. UA2: SIP device outside NAT. Call Server: SIP-express router 0.8.12. NAT: Linux Fedora Core 2. Packet Capturer: Ethereal-0.9.15. Call Server NCNU-SIP.ipv6.club.tw 0944021404 UA1 NAT IPv6 only 0944021021 UA2 Ethereal 13 TAC2000/2000
The Problem (1/2) Due to private address, the Via header and Contact address in SIP messages sent by UA1 are incorrect. With incorrect Via header, responses of messages sent by UA1 cannot be routed back. With incorrect Contact address in REGISTER messages, call server cannot inform UA1 the incoming calls. UA1 can only act as a calling party. 14 TAC2000/2000
Incorrect REGISTER Message LABORATORY 117 15 TAC2000/2000
The Problem (2/2) When UA1 initiate a call, the connection information for media establishment in SDP are also incorrect. UA2 gets a private peer address, the RTP packets from UA2 cannot be routed to UA1. Media can only be sent from UA1 to UA2. 16 TAC2000/2000
Incorrect Fields in SDP of INVITE Message LABORATORY 117 17 TAC2000/2000
Solving NAT Traversal Problems Target: Discover mapped public IP & port for private IP & port Use mapped public IP & port in application layer message Keep this mapping valid Timing Issue NAT will automatically allocate a public port for a private address & port if need. NAT will release the mapping if the public port is idle No TCP connection on the port No UDP traffic on the port for a period (45 sec ~ 5 min) Keep a TCP connection to target Send UDP packet to target every specified interval 18 TAC2000/2000
NAT Solutions IPv6 (Internet Protocol Version 6) UPnP (Universal Plug-and and-play) UPnP Forum - http://www.upnp.upnp.org/.org/ VPN (Virtual Private Network) Proprietary protocol by NAT/Firewall SIP ALG (Application Level Gateway) No standard now. Not applicable for existing NATs. SIP extensions for NAT traversal RFC 3581 - rport Works for SIP only, can not help RTP to pass through NAT STUN (Simple Traversal of UDP Through Network Address Translators) s) RFC 3489 Works except symmetric NAT TURN (Traversal Using Relay NAT) draft-rosenberg rosenberg-midcom-turn-08 for symmetric NAT 19 TAC2000/2000
UPnP Universal Plug-and-Play 20 TAC2000/2000
LABORATORY 117 NAT Traversal with UPnP NAT NAT Device NAT Device NAT! IGD -- Internet Gateway Device UPnP Device (IGD) Public IP, 21 TAC2000/2000
NAT 22 TAC2000/2000
LABORATORY 117 UPnP IGD UPnP / public IP mapping port mapping port mapping 23 TAC2000/2000
LABORATORY 117 UPnP NAT UPnP Control Message IGD Port Mapping : : 192.168.0.14 port 10001 UDP IGD port mapping 24 TAC2000/2000
IGD Control Message POST /upnphost/udhisapi.dll?control?control=uuid:c3038e95-ea88-4d5c-98ff-3ad68f7aaa32+urn:upnp-org:serviceid:wanipconn1:wanipconn1 HTTP/1.1 Host: 192.168.0.1:2869 Content-Length: 734 Content-Type: text/xml; charset="utf "utf-8" SOAPAction: : "urn:schemas-upnp upnp-org:service:wanipconnection :WANIPConnection:1#AddPortMapping" <SOAP-ENV:Envelope xmlns:soap :SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/".org/soap/envelope/" SOAP-ENV ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">.org/soap/encoding/"> <SOAP-ENV:Body> <u:addportmapping xmlns:u="urn:schemas :u="urn:schemas-upnp-org:service:wanipconnection:1">:1"> <NewRemoteHost></ ></NewRemoteHost> <NewExternalPort>17769</ >17769</NewExternalPort> <NewProtocol>UDP</ >UDP</NewProtocol> <NewInternalPort>10001</ >10001</NewInternalPort> <NewInternalClient>192.168.0.146</ >192.168.0.146</NewInternalClient NewInternalClient> <NewEnabled>1</ >1</NewEnabled> <NewPortMappingDescription>s2EAYp (192.168.0.146:10001) 17769 UDP</NewPortMappingDescription /NewPortMappingDescription> <NewLeaseDuration>0</ >0</NewLeaseDuration> </u:addportmapping :AddPortMapping> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 25 TAC2000/2000
LABORATORY 117 Current Defects of UPnP Aging port mapping UPnP Multi-level level NAT NAT IP 26 TAC2000/2000
Simple Traversal of UDP Through Network Address Translators (STUN) 27 TAC2000/2000
STUN (RFC 3489) A mechanism for a socket behind NAT(s) to get its mapped (IP,port) on Internet. Check whether UA is behind NAT. If not true, the STUN mechanism is not applied. When new socket is created, use this socket to request its mapped (IP,port) from STUN server. The response IP is stored in a string buffer. The response port is saved in a table, using source port as key. When UA wants to stuff local IP or port in a message, it will first look up mapped IP or port in the table. 28 TAC2000/2000
STUN Server Allow clients to discover if it is behind a NAT, what type of NAT T it is, and the public address & port NAT will use. Very Simple Protocol, Easy to implement, Little load Client want receive packet at port 5060 Send a query to STUN server from port 5060 STUN Server receive packet from 202.123.211.25 port 12345 Client IP: 10.0.0.1 Port: 5060 NAT IP: 202.123.211.25 Port: 12345 STUN Server IP: 222.111.99.1 Port: 20202 STUN Server send a response packet to client. Tell him his public address is 202.123.211.25 port 12345 29 TAC2000/2000
Use STUN for SIP Registration Use port 5060 to send a packet to STUN Server Receive public address & port mapped to client:5060 from STUN Server Fill the SIP register message with client s s public address & port, send to proxy server Client IP: 10.0.0.1 Port: 5060 NAT IP: 202.123.211.25 Port: 12345 STUN Server IP: 222.111.99.1 Port: 20202 REGISTER sip:222.111.33.1 SIP/2.0 Via: SIP/2.0/UDP 202.123.211.25:12345 From: Wang <sip:wang@140.128.10.129:5060> To: Wang <sip:wang@140.128.10.129:5060> Contact: Wang <sip:wang@202.123.211.25:12345> Proxy Server IP: 140.128.10.129 Port: 5060 30 TAC2000/2000
Corrected SIP Message LABORATORY 117 31 TAC2000/2000
LABORATORY 117 Use STUN for RTP Send two STUN queries from RTP port (9000 & 9002) to STUN Server Use replied public address & port in SDP Client IP: 10.0.0.1 RTP Port: 9000 RTP Port: 9002 NAT IP: 140.113.131.72 Port: 56539 Port: 56541 STUN Server IP: 222.111.99.1 Port: 3478 INVITE Content-Type: application/sdp Proxy Server IP: 222.111.33.1 Port: 5060 UA RTP Port: 9000 RTP Port: 9002 32 TAC2000/2000
Corrected SDP LABORATORY 117 33 TAC2000/2000
Download UACom.dll with STUN support Close your running SIP UA. Remove the UACom.dll file in your C:\WinApp WinApp\NBENUA directory. Download the new UACom.dll from http://voip /voip.ipv6.club.tw/download/ and save it at C:\WinApp WinApp\NBENUA. Start SIP UA again. The registration and call setup will be successful. cessful. Our implementation supports incoming calls. STUN Client A diagnosis tool which utilizes STUN mechanism to find out the type t of NAT. Usage: stun-client STUN.ipv6.club.tw.tw stun-client t t STUN.ipv6.club.tw.tw stun-client p p 5060 STUN.ipv6.club.tw.tw Note: Be sure to close any running SIP UA before you run the STUN N client. 34 TAC2000/2000
Running STUN Client on a PC in Private LAN 35 TAC2000/2000
stun-client STUN.ipv6.club.tw 36 TAC2000/2000
stun-client t STUN.ipv6.club.tw 37 TAC2000/2000
Testing STUN & SIP UA Applying STUN mechanism in VoIP has been proved to be successful. More field trials must be conducted to make sure that it interoperates with most NAT devices. 38 TAC2000/2000
Clients Behind Symmetric NAT Provide a Call Server with RTP relay for non-upgradeable IP phone or Softphone The loading for this server would be terribly heavy Private Address Domain Symmetric NAT Public Address Domain Call Server with RTP Relay IP Phone B NAT port 12345 RTP IP Phone A Mapping Table 192.168.10.1:5060 <-> 10120 (for Call Server : 5060) 192.168.10.1:9000 <-> 12345 (for Call Server : 9000) 39 TAC2000/2000
Summary STUN is a good solution for non-symmetric NAT Suitable for small-scale scale solution Client-side Enterprise-serverserver Compatible with most NATs STUN server is easy to implement and low-cost Call Server w/ RTP Relay may be needed, if the users cannot make sure whether they are behind a symmetric NAT Capacity is limited Centralized server is expensive That s s why Skype distributed the loading to individual users UPnP is a promising solution, but its nature is competing with IPv6. Peer-to to-peer vs. Gateway/Device model 40 TAC2000/2000